Introduction

VNMC is a virtual appliance, based on Red Hat Enterprise Linux, that provides centralized device and security policy management of Cisco virtual services. Designed for multiple-tenant operation, VNMC provides seamless, scalable, and automation-centric management for virtualized data center and cloud environments. With both a built-in UI and an XML API, VNMC enables centralized management of Cisco virtual services by an administrator or through an API.

VNMC is built on an information model-driven architecture in which each managed device is represented by its subcomponents (or objects), which are parametrically defined. This model-centric approach enables VNMC to provide a secure, multiple-tenant virtualized infrastructure with Cisco Adaptive Security Appliance 1000V (ASA 1000V) and Cisco Virtual Security Gateway (VSG) virtual services.

All ASA 1000Vs and VSGs are centrally managed, thereby simplifying provisioning and troubleshooting in a scaled-out data center. By using device profiles with their specified device configuration policies, you can deploy consistent policies to one or more profile-managed resources.

Security Profile

Security profiles enable you to represent a security policy configuration in a profile that:

•Simplifies provisioning

•Reduces administrative errors during security policy changes

•Reduces audit complexities

•Enables a highly scaled-out data center environment

Stateless Device Provisioning

The management agents in VSG and ASA 1000V are stateless, receiving information from VNMC and thereby enhancing scalability.

Security Policy Management

Security policies are authored, edited, and provisioned for all VSGs and ASA 1000Vs in a data center, which simplifies the operation and management of security policies, and ensures that the required security is accurately represented in the associated security policies.

VNMC interacts with the Cisco Nexus 1000V VSM to bind the security profile with the corresponding Cisco Nexus 1000V Series switch port profile. When VMs are dynamically instantiated and applied to appropriate port profiles, their association to trust zones is also established.

Multi-Tenant Management

VNMC can manage compute and edge firewall security policies in a dense multi-tenant environment, so that you can rapidly add or delete tenants, and update tenant-specific configurations and security policies. This feature significantly reduces administrative errors, ensures segregation of duties within the administrative team, and simplifies audit procedures.

Role-Based Access Control

Role-Based Access Control (RBAC) simplifies operational tasks across different types of administrators, while allowing subject-matter experts to continue with their normal procedures. With RBAC, organizations can reduce administrative errors and simultaneously simplify auditing requirements. VNMC supports local and remote authentication with RBAC.

2. Before you perform any operation on VNMC after you deploy the OVA, configure NTP servers for VNMC, ASA 1000V, VSG, and VSM. If you do not do so, ASA 1000Vs, VSGs, and VSMs will not be able to register with VNMC. See Configuring NTP.

Configuring NTP

Before you perform any operation in VNMC, configure NTP on ASA 1000V, VSG, and VSM. If you do not do so, ASA 1000Vs, VSGs, and VSMs will not be able to register with VNMC.

Support for ASA 1000V in HA Configurations

VNMC 2.0 supports virtual ASA 1000V instances in high availability (HA) configurations by verifying that the HA role and mode match. The supported HA configurations are those that result from pool associations, in which a logical edge firewall is assigned to a pool of firewall instances.

VNMC supports virtual ASA 1000V instances in HA configurations by:

•Enabling you to specify the HA mode (either HA or Standalone) when you add an edge firewall to VNMC.

•Detecting HA mode and role changes in the HA configurations and acting on those changes as follows:

–If an edge firewall HA mode changes, and the edge firewall is assigned to a pool but not yet associated, VNMC examines the resource pool for a matching resource. A matching resource must match the edge firewall HA mode and the virtual ASA 1000V instance HA role.

–If the HA role of a virtual ASA 1000V instance changes, VNMC triggers reassociation for the logical edge firewall and looks for a match between the edge firewall HA mode and the virtual ASA 1000V instance HA role.

This behavior occurs under the following conditions:

—The ASA 1000V instance is in a pool.

—The pool is assigned to a logical edge firewall.

—No matching resources for the edge firewall were available before the HA role change.

Note VNMC does not verify that the HA role and mode match if a virtual ASA 1000V instance is directly associated with a logical edge firewall.

ASDM Cross-Launch from VNMC

After you deploy a virtual ASA 1000V instance and register the ASA 1000V instance to VNMC, you only need to navigate to the virtual ASA 1000V instance and click Launch ASDM for the ASDM GUI to open in a separate window.

System Enhancements

In addition to system upgrades, VNMC 2.0 provides system backup and restore operations.

User Interface Enhancements and Changes

The following topics describe new and changed features in the VNMC 2.0 UI:

VNMC VM Manager and VMware vCenter Server Connections

VNMC VM Manager automatically connects to the VMware vCenter server on HTTP port 80. A vCenter extension file is required to establish a connection between VM Manager and vCenter. The extension file is exported from VNMC and linked on the VM Managers tab. You install it as a plugin on all vCenter servers to which you want to connect.

Upgrading vCenter to a New Version

If you upgrade vCenter to a new version and use the same IP address, vCenter attributes are not updated in VNMC. For example, the vCenter attributes for VMs and hosts on the upgraded vCenter are not updated.

Characters in Names Retrieved from vCenter

If you choose Resource Management > Resources > Virtual Machines, the following characters are not allowed in names that are retrieved from vCenter:

" ' ^ & ` < > ? = \ "

If a name that is retrieved from vCenter contains any of these characters, VNMC does not recognize the characters.

Names that can be affected include:

•VM name

•VM DNS name

•VM parent application name

•VM resource pool name

•Hypervisor cluster name

As a result of this behavior, VNMC attribute names do not display correctly in the UI and might be evaluated differently when these attributes are used in policy conditions.

Value Displayed in Parent App or Resource Pool Field

The VM Properties pane displays Parent App and Resource Pool fields, but only one field contains a value at any time. For example, if the parent application name is displayed, the resource pool name is not displayed. This situation occurs because a VM can be part of a parent application or part of a resource pool, but not both simultaneously.

Open Bugs

The open bugs for VNMC are available in the Cisco Bug Toolkit. The Cisco Bug Toolkit enables you to search for a bug by identifier or product and version, and can provide additional details about the bug, such as more information or that the bug has been fixed.

Cisco Nexus 1000V Series Switch Documentation

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.